Database Security
You can use AWS Private Link to connect your AWS hosted services to Shaped without exposing traffic to the public internet. This is particularly useful when your database is hosted in a private subnet or when you need to maintain strict network isolation.
To get started, you'll need the following information from Shaped:
- The endpoint service name (format:
com.amazonaws.region.vpce-svc-xxxxxxxxxxxxxxxx) - The IP ranges that need to be allowed in your security groups
Reach out to our team to get this info and get started.
Setting up PrivateLink for RDS Access
Option 1: AWS Console
- Open the AWS console and navigate to VPC -> Endpoints -> Create endpoint
- Configure the endpoint:
- Service category: Choose: "Endpoint services that use NLBs and GWLBs"
- Service name: Enter the endpoint service name provided by Shaped
- VPC: Select your VPC
- Subnets: Select the subnets where you want to create the endpoint
- Security group: Create or select a security group that allows inbound traffic from Shaped's VPC (using the IP ranges provided by Shaped)
- Policy: Choose "Full access" or create a custom policy
- Click "Create endpoint"
Option 2: AWS CLI
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.region.vpce-svc-xxxxxxxxxxxxxxxx \
--vpc-endpoint-type Interface \
--subnet-ids subnet-12345678 subnet-87654321 \
--security-group-ids sg-12345678 \
--private-dns-enabled
Security Configuration
Update your RDS security group to allow inbound traffic from:
- The VPC endpoint security group
- Shaped's IP ranges (provided by the Shaped team)
Configure the VPC endpoint security group to:
- Allow outbound traffic to your RDS instance
- Allow inbound traffic from Shaped's IP ranges